lianne143
asked on
How to allow only 40 users to run .exe for a particular program\ 30 computers\ or user basis
Hi
I have installed Visual studio on only 30 PCs. When they run the project , it says "Error while running the project: unable to start the program \\File server-a\Students\16\16asm ith\visual studio 2015\Projects\WindowsAppli cation4\bi n\Debug\Wi ndowsappli cation.exe "
This program is blocked by group policy.
Our AD is structure this way
We have a separate User workstations OU (Under this) -Education Workstation OU
-Room 45 OU
PC1, PC2, .... PC30
-Room 46 OU
PC31, PC32...PC60
We will be using only Room 45, where Visual studio is installed.
On the User Student OU
- Class16
- Class 17
- Class 18
- Class 19
On the Class 16 OU there are 20 students and on Class17 OU there are 20 students.
Now I want only the students in Class16 and Class 17 ( total 40 students) to run exe file, so that Visual studio projects runs successfully.
Do i need to create a separate GPO for this \Create a security group to run.exe and add only the 40 users to this group to run.exe
Or create a GPO to run .exe only for visual studio program.
Please let me know if there is a best way of doing this. Any tutorials will be great.
Thanks in advance
-
I have installed Visual studio on only 30 PCs. When they run the project , it says "Error while running the project: unable to start the program \\File server-a\Students\16\16asm
This program is blocked by group policy.
Our AD is structure this way
We have a separate User workstations OU (Under this) -Education Workstation OU
-Room 45 OU
PC1, PC2, .... PC30
-Room 46 OU
PC31, PC32...PC60
We will be using only Room 45, where Visual studio is installed.
On the User Student OU
- Class16
- Class 17
- Class 18
- Class 19
On the Class 16 OU there are 20 students and on Class17 OU there are 20 students.
Now I want only the students in Class16 and Class 17 ( total 40 students) to run exe file, so that Visual studio projects runs successfully.
Do i need to create a separate GPO for this \Create a security group to run.exe and add only the 40 users to this group to run.exe
Or create a GPO to run .exe only for visual studio program.
Please let me know if there is a best way of doing this. Any tutorials will be great.
Thanks in advance
-
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should check, if the error message really comes from applocker gpo configured. In the past we also saw at some programs on the clients this message popping up but it had nothing to do with the real applocker part but rather a mixture of old application, UAC and msiexec / Installer Engine issue.
You can verify on the client inside eventlog
check inside eventvwr.exe application llogs -> Microsoft -> Windows -> Applocer and there inside the exe/ dll part. If applocker blockes something based on gpo settings configured like not allowing unknown exe from shares without excluded it will be shown here.
BR
You can verify on the client inside eventlog
check inside eventvwr.exe application llogs -> Microsoft -> Windows -> Applocer and there inside the exe/ dll part. If applocker blockes something based on gpo settings configured like not allowing unknown exe from shares without excluded it will be shown here.
BR
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please let me know in my case as we use Windows7 Professional edition ,
Is there a different way to setup this policy
Or do I need to reinstall to Windows 7 enterprise edition
Thanks
Is there a different way to setup this policy
Or do I need to reinstall to Windows 7 enterprise edition
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok Thanks
Please see the snapshot.
I had logged into the Room45-PC1 as domain\administrator and did a RSOP , Please see the snapshot. Looks like no software policies are configured under computer configuration.
I have to make this software up and running for only for 40 users and please your help much appreciated.
Please post next steps and guide me!
Thanks again
RSOP-Snap2.pdf
Please see the snapshot.
I had logged into the Room45-PC1 as domain\administrator and did a RSOP , Please see the snapshot. Looks like no software policies are configured under computer configuration.
I have to make this software up and running for only for 40 users and please your help much appreciated.
Please post next steps and guide me!
Thanks again
RSOP-Snap2.pdf
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I cant see any thing populated at this path in the registry . Will it be because I have logged into and a Domain\administrator and running the RSOP.
Registry-pendant-of-this-policy.png
Registry-pendant-of-this-policy.png
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
By applying the following command on the command prompt, i enabled verbose SRP trace logging
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWA RE\Policie s\Microsof t\Windows\ Safer\Code Identifier s" /v LogFileName /d c:\logs\srplog.txt
After applying the command above , I ran RSOP and went to eventvwr.msc and cant see any events related to 865,866,867 and 868.
Hope I am doing the correct steps . Also VB2015 is afresh setup
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWA
After applying the command above , I ran RSOP and went to eventvwr.msc and cant see any events related to 865,866,867 and 868.
Hope I am doing the correct steps . Also VB2015 is afresh setup
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
RSOP and events viewer screen shot attached, cant see any events such as 865,866,867 and 868
Win-7-RSOP.png
Events.png
Win-7-RSOP.png
Events.png
You don't seem to understand. I asked for a screenshot of the error message. And I asked you to look at the application event log after provoking the error. Or is there no trace inside the application event log section?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Finally you have proof that I was right, it is a software restriction policy as the event log shows.
Please revisit rsop.msc and go into the software retsriction policies section and open what your screenshot does not show: "additional rules" and make a screenshot.
Please revisit rsop.msc and go into the software retsriction policies section and open what your screenshot does not show: "additional rules" and make a screenshot.
ASKER
Thanks so much , Your are right!
I cant see anything defined on the "additional rules"
But I went to the AD and below the student users OU ie "Student OU" I can see a GPO is applied called as "Student policy" and if I edit this policy- User configuration-Windows settings-security- and in the software restriction policies , I can see policies defined.
Student OU
"Student policy"-GPO
>Class16
>Class 17
>Class 18
>Class 19
Additional-rules.png
I cant see anything defined on the "additional rules"
But I went to the AD and below the student users OU ie "Student OU" I can see a GPO is applied called as "Student policy" and if I edit this policy- User configuration-Windows settings-security- and in the software restriction policies , I can see policies defined.
Student OU
"Student policy"-GPO
>Class16
>Class 17
>Class 18
>Class 19
Additional-rules.png
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have identified the path of the WindowsApplication .exe and this file is saved to the fileserver-a, as shown below:Plaese see the attached snapshot.
\\File server-a\Students\16\16asm ith\visual studio 2015\Projects\WindowsAppli cation25\W indowsAppl ication25\ bin\Debug\ Windowsapp lication25 .exe"
Whenever a new project is created and when it is made to run, different folders ( WindowsApplication....)are created within Visual Studio 2015 as shown below:
Visual Studio 2015\Projects\WindowsAppli cation23\W indowsAppl ication23\ bin\Debug\ Windowsapp lication23 .exe"
Visual studio 2015\Projects\WindowsAppli cation24\W indowsAppl ication24\ bin\Debug\ Windowsapp lication24 .exe"
Visual studio 2015\Projects\WindowsAppli cation25\W indowsAppl ication25\ bin\Debug\ Windowsapp lication25 .exe"
I have installed VB2015 on only on Room45 OU. Please suggest, if it is possible to allow the students to run this application only on Room45OU \ Will it be possible to set up this way :Under the User Student OU, there are 5 sub OU, so that only some students within Class 16 and Class17 will need access to the VB2015.
I am concerned if I allow the .EXE on this path \\File server-a\Students folder… we have 600 students and it will not be safe to allow .exe for all. Please correct , if I am wrong!
Please let me know, how to proceed and how to delete the corresponding blacklist paths.
Thanks
snap-of-WindowsApplication-folders.png
WindowsApplication-EXE-location.png
\\File server-a\Students\16\16asm
Whenever a new project is created and when it is made to run, different folders ( WindowsApplication....)are
Visual Studio 2015\Projects\WindowsAppli
Visual studio 2015\Projects\WindowsAppli
Visual studio 2015\Projects\WindowsAppli
I have installed VB2015 on only on Room45 OU. Please suggest, if it is possible to allow the students to run this application only on Room45OU \ Will it be possible to set up this way :Under the User Student OU, there are 5 sub OU, so that only some students within Class 16 and Class17 will need access to the VB2015.
I am concerned if I allow the .EXE on this path \\File server-a\Students folder… we have 600 students and it will not be safe to allow .exe for all. Please correct , if I am wrong!
Please let me know, how to proceed and how to delete the corresponding blacklist paths.
Thanks
snap-of-WindowsApplication-folders.png
WindowsApplication-EXE-location.png
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Mcknife
I understand and appreciate you thoughts on this. I things breakup there are backups to restore and not going to blame the EE forum, I would like to sort this problem myself. I know you have helped to this stage and don't want to give up sorting this problem!
Thanks for letting me know that I cannot apply it to certain users, since it is a computer policy.
I will now create a computer policy but , please post example tutorials - to setup a policy with the path to the VB executable and allow it (create an explicit allow rule).
Thanks
I understand and appreciate you thoughts on this. I things breakup there are backups to restore and not going to blame the EE forum, I would like to sort this problem myself. I know you have helped to this stage and don't want to give up sorting this problem!
Thanks for letting me know that I cannot apply it to certain users, since it is a computer policy.
I will now create a computer policy but , please post example tutorials - to setup a policy with the path to the VB executable and allow it (create an explicit allow rule).
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all you help, Much appreciated!
ASKER
I am not very good at active directory.
Thanks